UPCOMING EVENTS

Docker, the startup that has made it popular to build and deploy applications in Linux containers, announced today a new feature called Content Trust in the latest version of its open-source software that can provide an extra layer of security to people using containers.

Docker Content Trust, which is now available in Docker version 1.8.0, allows people to check the legitimacy of container images before downloading them from the publicly available Docker Hub. The idea is to give companies the assurance that they won’t be deploying anything potentially dangerous atop their infrastructure.

And that’s important as Docker looks to make containers a viable alternative to more traditional virtual machine technology from staid vendors like Citrix, Microsoft, and VMware.

Here’s how Content Trust works, according to a statement on the news today from Docker:

Docker Content Trust has two distinct keys, an Offline (root) key and a Tagging (per-repository) key that are generated and stored client-side the first time a publisher pushes an image. Each repository has its own unique tagging key, which allows the holder to digitally sign Docker images for a particular repository. The tagging key is used any time new content is added or removed from the repository. Because the tagging key is online, it is vulnerable to being compromised. With Docker Content Trust, the publisher will be able to securely rotate compromised keys by using the offline key, which should be securely stored offline.

Docker Content Trust also generates a Timestamp key that provides protection against replay attacks, which would allow a malicious actor to serve signed but expired content. Docker manages the Timestamp key for you, reducing the hassle of having to constantly refresh the content client-side.